diff options
Diffstat (limited to 'doc/nginx-ssl-php-fpm.markdown')
| -rw-r--r-- | doc/nginx-ssl-php-fpm.markdown | 238 |
1 files changed, 238 insertions, 0 deletions
diff --git a/doc/nginx-ssl-php-fpm.markdown b/doc/nginx-ssl-php-fpm.markdown new file mode 100644 index 00000000..61afd2b1 --- /dev/null +++ b/doc/nginx-ssl-php-fpm.markdown @@ -0,0 +1,238 @@ +Kanboard with Nginx, HTTPS, SPDY and PHP-FPM +============================================ + +This installation example will help you to have the following features: + +- Latest stable nginx version +- HTTPS only with a valid certificate +- [SPDY protocol](http://en.wikipedia.org/wiki/SPDY) activated +- PHP 5.5 with php-fpm +- Recommended security parameters +- File uploads with a 10MB file size limit + +This procedure is written for **Ubuntu 14.04 LTS** but it should be similar for any Linux distribution. + +For this setup, we suppose that only Kanboard is installed on the server. +It can be a small virtual machine by example. + +Kanboard detect automatically the utilization of HTTPS and enable some extra features: + +- [HTTP Strict Transport Security](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) +- [Secure Cookie Flag](http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly) + +PHP 5.5 Installation +-------------------- + +```bash +sudo apt-get install php5-fpm php5-cli php5-sqlite +``` + +You can also install `php5-mysql` if you prefer to use Kanboard with Mysql or MariaDB. + +Customize your `/etc/php5/fpm/php.ini`: + +```ini +; Security settings +expose_php = Off +cgi.fix_pathinfo=0 + +; Log errors +error_reporting = E_ALL +display_errors = Off +log_errors = On +html_errors = Off +error_log = syslog + +; File uploads +upload_max_filesize = 10M +post_max_size = 10M +``` + +Restart PHP background processes: + +```bash +sudo service php5-fpm restart +``` + +Nginx Installation +------------------ + +We want the latest stable version of nginx to be able to use the SPDY protocol. +Hopefully, there is PPA for Ubuntu (unofficial): + +```bash +sudo add-apt-repository ppa:nginx/stable +sudo apt-get install nginx +``` + +Generate a SSL certificate +-------------------------- + +We want a SSL certificate that work everywhere, not a self-signed certificate. +You can buy a cheap one at [Namecheap](http://www.namecheap.com/?aff=73824) or anywhere else. + +Here the different steps to configure your certificate: + +```bash +# Generate a private key +openssl genrsa -des3 -out kanboard.key 2048 + +# Create a key with no password for Nginx +openssl rsa -in kanboard.key -out kanboard.key.nopass + +# Generate the Certificate Signing Request, enter your domain name for the field 'Common Name' +openssl req -new -key kanboard.key.nopass -out kanboard.csr + +# Copy and paste the content of the CSR to the Namecheap control panel and finalize the procedure +cat kanboard.csr + +# After that, you receive by email your certificate, then concat everything into a single file +cat kanboard.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt AddTrustExternalCARoot.crt > kanboard.pem +``` + +Copy the certificates in a new directory: + +```bash +mkdir /etc/nginx/ssl +cp kanboard.pem /etc/nginx/ssl +cp kanboard.key.nopass /etc/nginx/ssl +chmod 400 /etc/nginx/ssl/* +``` + +Configure Nginx +--------------- + +Now, we can customize our installation, start to modify the main configuration file `/etc/nginx/nginx.conf`: + +```nginx +user www-data; +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + # SSL shared cache between workers + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # We disable weak protocols and ciphers + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers HIGH:!SSLv2:!MEDIUM:!LOW:!EXP:!RC4:!DSS:!aNULL:@STRENGTH; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + # We enable the Gzip compression for some mime types + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} +``` + +Create a new virtual host for Kanboard `/etc/nginx/sites-available/kanboard` + + +```nginx +server { + # We also enable the SPDY protocol + listen 443 ssl spdy; + + # Our SSL certificate + ssl on; + ssl_certificate /etc/nginx/ssl/kanboard.pem; + ssl_certificate_key /etc/nginx/ssl/kanboard.key.nopass; + + # You can change the default root directory here + root /usr/share/nginx/html; + + index index.php; + + # Your domain name + server_name localhost; + + # The maximum body size, useful for file uploads + client_max_body_size 10M; + + location / { + try_files $uri $uri/ =404; + } + + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + # PHP-FPM configuration + location ~ \.php$ { + try_files $uri =404; + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php5-fpm.sock; + fastcgi_index index.php; + include fastcgi.conf; + } + + # Deny access to the directory data + location ~* /data { + deny all; + return 404; + } + + # Deny access to .htaccess + location ~ /\.ht { + deny all; + return 404; + } +} +``` + +Now it's time to test our setup + +```bash +# Disable the default virtual host +sudo unlink /etc/nginx/sites-enabled/default + +# Add our default virtual host +sudo ln -s /etc/nginx/sites-available/kanboard /etc/nginx/sites-enabled/kanboard + +# Check the config file +sudo nginx -t +nginx: the configuration file /etc/nginx/nginx.conf syntax is ok +nginx: configuration file /etc/nginx/nginx.conf test is successful + +# Restart nginx +sudo service nginx restart +``` + +Kanboard Installation +--------------------- + +You can install Kanboard in a subdirectory or not, it's up to you. + +```bash +cd /usr/share/nginx/html +sudo wget http://kanboard.net/kanboard-latest.zip +sudo unzip kanboard-latest.zip +sudo chown -R www-data:www-data kanboard/data +sudo rm kanboard-latest.zip +``` + +Now, you should be able to use Kanboard with your web browser. |